openssl_encrypt

(PHP 5 >= 5.3.0, PHP 7, PHP 8)

openssl_encryptEncrypts data

Description

openssl_encrypt(
    string $data,
    string $cipher_algo,
    string $passphrase,
    int $options = 0,
    string $iv = "",
    string &$tag = null,
    string $aad = "",
    int $tag_length = 16
): string|false

Encrypts given data with given method and key, returns a raw or base64 encoded string

Parameters

data

The plaintext message data to be encrypted.

cipher_algo

The cipher method. For a list of available cipher methods, use openssl_get_cipher_methods().

passphrase

The passphrase. If the passphrase is shorter than expected, it is silently padded with NUL characters; if the passphrase is longer than expected, it is silently truncated.

options

options is a bitwise disjunction of the flags OPENSSL_RAW_DATA and OPENSSL_ZERO_PADDING.

iv

A non-NULL Initialization Vector.

tag

The authentication tag passed by reference when using AEAD cipher mode (GCM or CCM).

aad

Additional authentication data.

tag_length

The length of the authentication tag. Its value can be between 4 and 16 for GCM mode.

Return Values

Returns the encrypted string on success or false on failure.

Errors/Exceptions

Emits an E_WARNING level error if an unknown cipher algorithm is passed in via the cipher_algo parameter.

Emits an E_WARNING level error if an empty value is passed in via the iv parameter.

Changelog

Version Description
7.1.0 The tag, aad and tag_length parameters were added.

Examples

Example #1 AES Authenticated Encryption in GCM mode example for PHP 7.1+

<?php
//$key should have been previously generated in a cryptographically safe way, like openssl_random_pseudo_bytes
$plaintext "message to be encrypted";
$cipher "aes-128-gcm";
if (
in_array($cipheropenssl_get_cipher_methods()))
{
    
$ivlen openssl_cipher_iv_length($cipher);
    
$iv openssl_random_pseudo_bytes($ivlen);
    
$ciphertext openssl_encrypt($plaintext$cipher$key$options=0$iv$tag);
    
//store $cipher, $iv, and $tag for decryption later
    
$original_plaintext openssl_decrypt($ciphertext$cipher$key$options=0$iv$tag);
    echo 
$original_plaintext."\n";
}
?>

Example #2 AES Authenticated Encryption example prior to PHP 7.1

<?php
//$key previously generated safely, ie: openssl_random_pseudo_bytes
$plaintext "message to be encrypted";
$ivlen openssl_cipher_iv_length($cipher="AES-128-CBC");
$iv openssl_random_pseudo_bytes($ivlen);
$ciphertext_raw openssl_encrypt($plaintext$cipher$key$options=OPENSSL_RAW_DATA$iv);
$hmac hash_hmac('sha256'$ciphertext_raw$key$as_binary=true);
$ciphertext base64_encode$iv.$hmac.$ciphertext_raw );

//decrypt later....
$c base64_decode($ciphertext);
$ivlen openssl_cipher_iv_length($cipher="AES-128-CBC");
$iv substr($c0$ivlen);
$hmac substr($c$ivlen$sha2len=32);
$ciphertext_raw substr($c$ivlen+$sha2len);
$original_plaintext openssl_decrypt($ciphertext_raw$cipher$key$options=OPENSSL_RAW_DATA$iv);
$calcmac hash_hmac('sha256'$ciphertext_raw$key$as_binary=true);
if (
hash_equals($hmac$calcmac))// timing attack safe comparison
{
    echo 
$original_plaintext."\n";
}
?>

See Also